to provide reasonable assurance that the goals of each business process are being achieved.
to mitigate the risk that the enterprise will be exposed to some type of harm, danger, or loss (including loss caused by fraud or other intentional and unintentional acts).
to provide reasonable assurance that the company is in compliance with applicable legal and regulatory obligations
Risk - the possibility that an event or action will cause an organization to fail to meet its objectives. Common Business Exposures:
1) Erroneous Record Keeping: is the recording of events contrary to established accounting policies. This exposure is often caused by the incomplete or inaccurate processing of an event.
2) Unacceptable Accounting: is the establishment or implementation of accounting policies that are not generally accepted or are inappropriate to the circumstances. This exposure is often caused by an improper interpretation or willful disregard of GAAP or some other set of accounting regulations.
3) Business Interruptions: may include anything from a temporary suspension of operations to a permanent termination of the enterprise. This exposure may be caused by a number of factors, including irreparable damage to an organization's database.
4) Erroneous Management Decisions: are objectionable in themselves but may also lead to other exposures. This exposure is often caused by managers using misleading information or failing to acquire necessary information relative to a particular decision.
5) Fraud and Embezzlement: may be perpetrated at different levels (against management or by management). This exposure may be caused by direct misappropriation of funds or by deliberate communication of misinformation to management or investors.
6) Statutory Sanctions: are any of the various penalties that may be brought by judicial or regulatory authorities that have jurisdiction over an organization's operations. This exposure may be caused by a number of factors, including violation of the Foreign Corrupt Practices Act (FCPA).
7) Excessive Costs: may include incurring unnecessary expenses involved in operating a business. This exposure may be caused by failing to require that all expenditures over a certain dollar amount be approved.
8) Loss or destruction of resources: loss of physical resources (cash, inventory, etc.) and the loss of information (inventory master data, accounts receivable master data, etc.). This exposure is often caused by a lack of adequate safeguards over an organization's resources.
9) Competitive disadvantage: relates to any inability of an organization to remain abreast of the demands of the marketplace or to respond effectively to competitive challenges. This exposure may be caused by a number of factors, including the use of an outdated computer system that fails to respond to customer needs as effectively as do systems used by competitors.
Sarbanes-Oxley Act (2002):
-Created the Public Company Accounting Oversight Board (PCAOB), which is responsible for overseeing the auditors of public companies to protect the interests of investors and further the public interest in the preparation of informative, fair, and independent audit reports
-Increased accountability of individuals involved in financial reporting and operations (officers and board of directors)
-Increased penalties for white-collar crime and securities fraud
-Prohibits audit firms from providing an array of non-audit services to audit clients, specifically the design and implementation of financial information systems
The PCAOB is known as the auditors of auditors. They are the watchdog of any public accounting firms. They have the ability to randomly come in without notice and have access to all files to perform an audit of the firm. This is to ensure that accounting practices are in accordance with accounting standards.
The PCAOB has also issued four new standards. The most widely known act among most accountant is Section 404 of Auditing Standard #2 which:
states the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
SOX Sections:
1) Title I-- Public Company Accounting Oversight Board: independent board must oversee public company audits; SEC oversees board.
2) Title II-- Auditor Independence: CPA firm cannot audit systems they helped develop; requires audit partner rotation
3) Title III--Corporate Responsibility: CEO/CFO must certify quarterly and annual reports
4) Title IV-- Enhanced Financial Disclosures: Each annual report filed with the SEC must include internal control report; auditors must attest to and report assessment made by management.
5) Title V-- Analysts Conflicts of Interests: Must disclose relevant conflicts of interest
6) Title VI-- Commission Resources and Authority: SEC authorizes those persons practicing before the SEC
7) Title VII-- Studies and Reports: Authorizes GAO to analyze conslidation of public accounting firms and offer solution to problems.
8) Title VIII-- Corporate and Criminal Fraud Accountability: felony to intentionally obstruct documents in a federal investigation; Offers protection to whistle blowers
9) Title IX-- White-Collar Crime Penalty: establishes criminal penalties to CEOs/CFOs for certifying and filing false/misleading financial statements with the SEC (up $5 mil and 20 yrs in prision).
10) Title X-- Corporate Tax Returns: "Sense of the Senate" that federal income tax returns are signed by the CEO.
11) Title XI-- Corporate Fraud and Accountability: establishes criminal penalties to individuals who obstruct documents in offical proceedings. SEC can prohibit anyone from serving as an officer/director if they have committed securities fraud.
Fraud - a deliberate act or untruth intended to obtain unfair or unlawful gain.
E&Y Report: 85% of fraud committed by company insiders. The management's legal responsibility to prevent fraud is implied by laws such as the Foreign Corrupt Practicies Act.
Two basic types of Computer Crimes:
1) The computer is used as the tool of the criminal to accomplish the illegal act.
2) The computer or the information stored in it is the target of the criminal.
Defining Internal Control
Committee of Sponsoring Organizations (COSO) Definition of Internal Control - Internal control is a process - effected by an entity's board of directors, management, and other personnel - designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations
5 Interrelated components of Internal Control:
1) Control Environment: Sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.
2)Risk Assessment: is the entity's identification and analysis of relevant risks to achievement of its objectives, forming a basis for determining how the risks should be managed.
3)Control Activities: are the policies and procedures that help ensure that management directives are carries out.
4)Information and communication: are the identification, capture, and exchange of information in a form and time frame that enables people to carry out their responsibilities.
5)Monitoring: is a process that assesses the quality of internal control performance over time.
Textbook's Definition of Internal Control - a system of integrated elements - people, structure, processes, procedures - acting in concert to provide reasonable assurance that an organization achieves its business process goals.
Design and operation of internal control system is management's responsibility and should:
-Reflect management's careful assessment of risks.
-Be based on management's evaluation of costs versus benefits.
-Be built on management's strong sense of business ethics and personal integrity.
4 steps of a General Control Model:
1) Establish desired state of process: This is where the organization establishes the objectives that it desires to achieve and toward which the control system is directed. For example, the organization may define one objective as "comply with applicable laws and regulations."
2)Observe and Document actual state of process: To perform these actions we can use the tools described in Chapter 4 (i.e., narrative, flowchart, etc.
3)Evaluate process: Notice that there are two inputs: the documentation and the process's objectives. Essentially, this reflects a comparison (variance analysis) of plan (or budget) to actual results.
4)Recommend changes to process (if necessary): Recommendations must be made carefully, as there are many cost-benefit factors to consider.
Method of risk assessment (pg. 239, know the calculation): 1) Estimate the annual dollar loss that would occur should a costly event, say a destructive fire, take place. For argument sake, say that the estimated loss is -$1,000,000
2) Estimate the annual probability that the event will occur. Suppose the estimate is 5 percent.
3) Multiply item 1 by item 2 to get an initial expected gross risk (loss) of -$50,000 = (-$1,000,000 x .05), which is the maximum amount or upper limit that should be paid for control and the related risk reduction offered by such controls, in a given year. Next, we illustrate a recommendation plan using one corrective control, a fire insurance policy, and one preventive control, a sprinkler system.
4) Assume that the company would pay $1,000 annually (cost of control) for a $20,000 fire insurance policy (reduced risk exposure due to control). The estimated monetary damage remains at $1 million and expected gross risk (loss) remains at -$50,000, because there is still a 5 percent chance that a fire could occur. But, the company’s residual expected risk exposure is now -$31,000 = [-$50,000 + ($20,000 - $1,000)]. Our expected loss is reduced by the amount of the insurance policy (less the cost of the policy).
5) Next, you recommend that the company install a sprinkler system with a 5-year annualized cost (net present value) of $10,000 each year to install and maintain (cost of control). At this point you might be tempted to say that the company’s residual expected risk just increased to -$41,000 = (-$31,000 - $10,000), but wait! The sprinkler system lowered the likelihood of a damaging fire from 5 to 2 percent. In conjunction with this lower probability, the insurance company agreed to increase its coverage to $30,000 while holding the annual premium constant at $1,000.
6) Thus, the residual expected risk exposure is -$1,000, calculated as follows: Expected gross risk (-$20,000 or -$1,000,000 x .02) plus the insurance policy ($30,000) equals a gain of $10,000, but we must subtract the insurance premium ($1,000) and the sprinkler system ($10,000), leaving the residual expected risk at -$1,000. *Cost of control cannot exceed value of asset it is safeguarding. *You can't afford to prevent all loss
Ethical Considerations and the Control Environment:
-COSO states that “ethical behavior and management integrity are products of the “corporate culture” -Control Environment: reflects the organization's (primarily the board of directors' and management's) general awareness of and commitment to the importance of control throughout the organization.
-Setting the example and by addressing the need for control in a positive manner at the top of the organization, management can make an organization control conscious
-Management should consistently find it unacceptable for personnel to circumvent the organization’s system of controls, and the organization should impose stiff sanctions for such behavior (“tone at the top”)
Business Process Control Goals and Control Plans
Control Goals: business process objectives that an internal control system is designed to achieve.
***Internal controls are a means to an end with the control goals being that end.
3 Control Goals of Operations Processes:
1) Ensure effectiveness of operations: A measure of success in meeting one or more operations process goals.
2) Ensure efficient employment of resources: A measure of the productivity of the resources applied to achieve a set of goals.
3) Ensure security of resources: Protecting an organization’s resources from loss, destruction, disclosure, copying, sale, or other misuse.
5) Control Goals of Information Processes:
1) Ensure input validity: A control goal that requires that input data be appropriately approved and represent actual economic events and objects.
2)Ensure input completeness: A control that requires that all valid events or objects be captures and entered into a system.
3) Ensure input accuracy: A control goal that requires that events be correctly captured and entered into a system.
4) Ensure update completeness: A control goal that requires that all events entered into a computer are reflected in their respective master data.
5) Ensure update accuracy: A control goal that requires that data entered into a computer are reflected correctly in their respective master data.
Control Plans: - reflect information processing policies and procedures that assist in accomplishing control goals. They can be classified in a number of different ways. One way is a control hierarcy that relates control plans to the control environment.
A Control Hierarchy:
1st Level: Control Environment: overall policies and procedures that enhance the effieiency and effectiveness of the organization's control plans. It comprises a multitude of goals a processes that can either reinforce or mitigate the effectiveness of the pervasive and application of control plans.
2nd Level: Pervasive Control Plans: relate to a multitude of goals and processes. They provide a climate or set of surrounding conditions in which the various business processes operate. They are broad in scope and apply equally to all business processes, they pervade all systems.
3rd Level: Business Process Control Plans: relate to those controls particular to a specific process or subsystem or to a particular technology used to process the data. They are the subject of the control framework.
Threats in a Computerized Environment
Virus: A virus is a piece of computer program that inserts itself into some other program, including operating systems, to propagate. Requires a host program it cannot run independently.
Worm: Is a program (and a special type of virus) that can run independently and normally propagates itself over a network. It cannot attach itself to other programs.
Trojan Horse: A Trojan Horse is a program that appears to have a useful function but that contains a hidden and unintended function that presents a security risk. It does not usually replicate itself.
Denial-of-Service Attack: One computer bombards another computer with flood of information intended to keep legitimate users from accessing the target computer or network.
Phising: Phising is the sending of phony emails to try to lure people to phony web sites asking for financial information. SPAM, or unsolicited email, is an increasing burden both to individuals and to companies.
-From Becker
Introduction to Internal Control:
Why do we need controls?
Risk - the possibility that an event or action will cause an organization to fail to meet its objectives.
Common Business Exposures:
1) Erroneous Record Keeping: is the recording of events contrary to established accounting policies. This exposure is often caused by the incomplete or inaccurate processing of an event.
2) Unacceptable Accounting: is the establishment or implementation of accounting policies that are not generally accepted or are inappropriate to the circumstances. This exposure is often caused by an improper interpretation or willful disregard of GAAP or some other set of accounting regulations.
3) Business Interruptions: may include anything from a temporary suspension of operations to a permanent termination of the enterprise. This exposure may be caused by a number of factors, including irreparable damage to an organization's database.
4) Erroneous Management Decisions: are objectionable in themselves but may also lead to other exposures. This exposure is often caused by managers using misleading information or failing to acquire necessary information relative to a particular decision.
5) Fraud and Embezzlement: may be perpetrated at different levels (against management or by management). This exposure may be caused by direct misappropriation of funds or by deliberate communication of misinformation to management or investors.
6) Statutory Sanctions: are any of the various penalties that may be brought by judicial or regulatory authorities that have jurisdiction over an organization's operations. This exposure may be caused by a number of factors, including violation of the Foreign Corrupt Practices Act (FCPA).
7) Excessive Costs: may include incurring unnecessary expenses involved in operating a business. This exposure may be caused by failing to require that all expenditures over a certain dollar amount be approved.
8) Loss or destruction of resources: loss of physical resources (cash, inventory, etc.) and the loss of information (inventory master data, accounts receivable master data, etc.). This exposure is often caused by a lack of adequate safeguards over an organization's resources.
9) Competitive disadvantage: relates to any inability of an organization to remain abreast of the demands of the marketplace or to respond effectively to competitive challenges. This exposure may be caused by a number of factors, including the use of an outdated computer system that fails to respond to customer needs as effectively as do systems used by competitors.
Sarbanes-Oxley Act (2002):
-Created the Public Company Accounting Oversight Board (PCAOB), which is responsible for overseeing the auditors of public companies to protect the interests of investors and further the public interest in the preparation of informative, fair, and independent audit reports
-Increased accountability of individuals involved in financial reporting and operations (officers and board of directors)
-Increased penalties for white-collar crime and securities fraud
-Prohibits audit firms from providing an array of non-audit services to audit clients, specifically the design and implementation of financial information systems
The PCAOB is known as the auditors of auditors. They are the watchdog of any public accounting firms. They have the ability to randomly come in without notice and have access to all files to perform an audit of the firm. This is to ensure that accounting practices are in accordance with accounting standards.
The PCAOB has also issued four new standards. The most widely known act among most accountant is Section 404 of Auditing Standard #2 which:
- states the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
- contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
Reference:http://www.law.uc.edu/CCL/SOact/sec404.html
http://www.pcaobus.org/news_and_events/news/2005/05-16.aspx
SOX Sections:
1) Title I-- Public Company Accounting Oversight Board: independent board must oversee public company audits; SEC oversees board.
2) Title II-- Auditor Independence: CPA firm cannot audit systems they helped develop; requires audit partner rotation
3) Title III--Corporate Responsibility: CEO/CFO must certify quarterly and annual reports
4) Title IV-- Enhanced Financial Disclosures: Each annual report filed with the SEC must include internal control report; auditors must attest to and report assessment made by management.
5) Title V-- Analysts Conflicts of Interests: Must disclose relevant conflicts of interest
6) Title VI-- Commission Resources and Authority: SEC authorizes those persons practicing before the SEC
7) Title VII-- Studies and Reports: Authorizes GAO to analyze conslidation of public accounting firms and offer solution to problems.
8) Title VIII-- Corporate and Criminal Fraud Accountability: felony to intentionally obstruct documents in a federal investigation; Offers protection to whistle blowers
9) Title IX-- White-Collar Crime Penalty: establishes criminal penalties to CEOs/CFOs for certifying and filing false/misleading financial statements with the SEC (up $5 mil and 20 yrs in prision).
10) Title X-- Corporate Tax Returns: "Sense of the Senate" that federal income tax returns are signed by the CEO.
11) Title XI-- Corporate Fraud and Accountability: establishes criminal penalties to individuals who obstruct documents in offical proceedings. SEC can prohibit anyone from serving as an officer/director if they have committed securities fraud.
Fraud - a deliberate act or untruth intended to obtain unfair or unlawful gain.
E&Y Report: 85% of fraud committed by company insiders. The management's legal responsibility to prevent fraud is implied by laws such as the Foreign Corrupt Practicies Act.
Two basic types of Computer Crimes:
1) The computer is used as the tool of the criminal to accomplish the illegal act.
2) The computer or the information stored in it is the target of the criminal.
Defining Internal Control
Committee of Sponsoring Organizations (COSO) Definition of Internal Control - Internal control is a process - effected by an entity's board of directors, management, and other personnel - designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations
5 Interrelated components of Internal Control:
1) Control Environment: Sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.
2)Risk Assessment: is the entity's identification and analysis of relevant risks to achievement of its objectives, forming a basis for determining how the risks should be managed.
3)Control Activities: are the policies and procedures that help ensure that management directives are carries out.
4)Information and communication: are the identification, capture, and exchange of information in a form and time frame that enables people to carry out their responsibilities.
5)Monitoring: is a process that assesses the quality of internal control performance over time.
Textbook's Definition of Internal Control - a system of integrated elements - people, structure, processes, procedures - acting in concert to provide reasonable assurance that an organization achieves its business process goals.
Design and operation of internal control system is management's responsibility and should:
-Reflect management's careful assessment of risks.
-Be based on management's evaluation of costs versus benefits.
-Be built on management's strong sense of business ethics and personal integrity.
4 steps of a General Control Model:
1) Establish desired state of process: This is where the organization establishes the objectives that it desires to achieve and toward which the control system is directed. For example, the organization may define one objective as "comply with applicable laws and regulations."
2)Observe and Document actual state of process: To perform these actions we can use the tools described in Chapter 4 (i.e., narrative, flowchart, etc.
3)Evaluate process: Notice that there are two inputs: the documentation and the process's objectives. Essentially, this reflects a comparison (variance analysis) of plan (or budget) to actual results.
4)Recommend changes to process (if necessary): Recommendations must be made carefully, as there are many cost-benefit factors to consider.
Method of risk assessment (pg. 239, know the calculation):
1) Estimate the annual dollar loss that would occur should a costly event, say a destructive fire, take place. For argument sake, say that the estimated loss is -$1,000,000
2) Estimate the annual probability that the event will occur. Suppose the estimate is 5 percent.
3) Multiply item 1 by item 2 to get an initial expected gross risk (loss) of -$50,000 = (-$1,000,000 x .05), which is the maximum amount or upper limit that should be paid for control and the related risk reduction offered by such controls, in a given year. Next, we illustrate a recommendation plan using one corrective control, a fire insurance policy, and one preventive control, a sprinkler system.
4) Assume that the company would pay $1,000 annually (cost of control) for a $20,000 fire insurance policy (reduced risk exposure due to control). The estimated monetary damage remains at $1 million and expected gross risk (loss) remains at -$50,000, because there is still a 5 percent chance that a fire could occur. But, the company’s residual expected risk exposure is now -$31,000 = [-$50,000 + ($20,000 - $1,000)]. Our expected loss is reduced by the amount of the insurance policy (less the cost of the policy).
5) Next, you recommend that the company install a sprinkler system with a 5-year annualized cost (net present value) of $10,000 each year to install and maintain (cost of control). At this point you might be tempted to say that the company’s residual expected risk just increased to -$41,000 = (-$31,000 - $10,000), but wait! The sprinkler system lowered the likelihood of a damaging fire from 5 to 2 percent. In conjunction with this lower probability, the insurance company agreed to increase its coverage to $30,000 while holding the annual premium constant at $1,000.
6) Thus, the residual expected risk exposure is -$1,000, calculated as follows: Expected gross risk (-$20,000 or -$1,000,000 x .02) plus the insurance policy ($30,000) equals a gain of $10,000, but we must subtract the insurance premium ($1,000) and the sprinkler system ($10,000), leaving the residual expected risk at -$1,000.
*Cost of control cannot exceed value of asset it is safeguarding.
*You can't afford to prevent all loss
Ethical Considerations and the Control Environment:
-COSO states that “ethical behavior and management integrity are products of the “corporate culture”
-Control Environment: reflects the organization's (primarily the board of directors' and management's) general awareness of and commitment to the importance of control throughout the organization.
-Setting the example and by addressing the need for control in a positive manner at the top of the organization, management can make an organization control conscious
-Management should consistently find it unacceptable for personnel to circumvent the organization’s system of controls, and the organization should impose stiff sanctions for such behavior (“tone at the top”)
Business Process Control Goals and Control Plans
Control Goals: business process objectives that an internal control system is designed to achieve.***Internal controls are a means to an end with the control goals being that end.
3 Control Goals of Operations Processes:
1) Ensure effectiveness of operations: A measure of success in meeting one or more operations process goals.
2) Ensure efficient employment of resources: A measure of the productivity of the resources applied to achieve a set of goals.
3) Ensure security of resources: Protecting an organization’s resources from loss, destruction, disclosure, copying, sale, or other misuse.
5) Control Goals of Information Processes:
1) Ensure input validity: A control goal that requires that input data be appropriately approved and represent actual economic events and objects.
2)Ensure input completeness: A control that requires that all valid events or objects be captures and entered into a system.
3) Ensure input accuracy: A control goal that requires that events be correctly captured and entered into a system.
4) Ensure update completeness: A control goal that requires that all events entered into a computer are reflected in their respective master data.
5) Ensure update accuracy: A control goal that requires that data entered into a computer are reflected correctly in their respective master data.
Control Plans: - reflect information processing policies and procedures that assist in accomplishing control goals. They can be classified in a number of different ways. One way is a control hierarcy that relates control plans to the control environment.
A Control Hierarchy:
1st Level: Control Environment: overall policies and procedures that enhance the effieiency and effectiveness of the organization's control plans. It comprises a multitude of goals a processes that can either reinforce or mitigate the effectiveness of the pervasive and application of control plans.
2nd Level: Pervasive Control Plans: relate to a multitude of goals and processes. They provide a climate or set of surrounding conditions in which the various business processes operate. They are broad in scope and apply equally to all business processes, they pervade all systems.
3rd Level: Business Process Control Plans: relate to those controls particular to a specific process or subsystem or to a particular technology used to process the data. They are the subject of the control framework.
Threats in a Computerized Environment
Virus: A virus is a piece of computer program that inserts itself into some other program, including operating systems, to propagate. Requires a host program it cannot run independently.
Worm: Is a program (and a special type of virus) that can run independently and normally propagates itself over a network. It cannot attach itself to other programs.
Trojan Horse: A Trojan Horse is a program that appears to have a useful function but that contains a hidden and unintended function that presents a security risk. It does not usually replicate itself.
Denial-of-Service Attack: One computer bombards another computer with flood of information intended to keep legitimate users from accessing the target computer or network.
Phising: Phising is the sending of phony emails to try to lure people to phony web sites asking for financial information. SPAM, or unsolicited email, is an increasing burden both to individuals and to companies.
-From Becker